Pages

Thursday, September 6, 2012

Update5:
Mediafire notified me the other day that they had confirmation from LeakID that the notices they submitted were done in error. They restored all the file access.
I want to thank all who helped me with the posts and updates Paul Robert from SophosLabs, Soulskill- Slashdot, Dan Kaplan from SC Magazine for their articles, everyone who made posts on Twitter and the Mediafire team for the über fast response to the posts and resolution. I guess LeakID do not speak to victims directly, never heard from them.Update4:

robocoparchive.com

This is last Update 4, after which we will return to normal operations. Yesterday afternoon the Director of MediaFire Customer Support reached out and we exchanged a couple of long emails. In short, he pointed out they have to comply with the DMCA notices and apologized for the interruption. I pointed out that LeakID did not comply with the DMCA filing rules, in particular, they did not "identify the copyrighted work claimed to have been infringed" and falsely stated "that the information in the notification is accurate, and under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed." In result, they (LeakID) do not deserve any respect and Mediafire relationship with LeakID undermines customer trust in Mediafire and cloud services in general.
I must note that the account was un-suspended pending the the "infringement investigation" results. My counterclaim will be answered or expire on September 16, after which I hope all charges will be cleared. This reactivation happened only thanks to the magazine and blogpost articles. Normally, the three strikes result in account closing suspension pending the results. (Sept. 8, 2012 - I just received a reply to my email from the MediaFire President and CEO Derek Labian assuring me that they investigate all the suspended accounts and it would be resolved regardless of any posts as they take these claims seriously, but not as fast as I would like. He also stated that if mistakes were made, they were made by LeakID and not Mediafire.)

I understand that that the claims came from LeakID and I do understand that all claims must be checked and it takes time to check them. However, I do not appreciate auto-enforcement of American laws by foreign (and American) robots who do not even follow the filing laws. I think accounts should be suspended after the claims are proven to be true not before.

Here are links to a related court case and an EFF article about Warner Brothers, who used LeakID services to crawl Hotfile links and file baseless copyright infringement notices en masse.

New hosting:We had very kind offers from many people, including those who we know well and highly trust. We are thankful and might accept an offer later. At this point, it looks like there is not a lot of data in the public facing storage of Contagio (we are talking a few GB at this point), and we can host it on a DeepEnd Research server.New Data / new postsAll new posts will have download links to a new storage. Exchange and Mobile Exchange public upload boxes will upload data to Mediafire, after which it will be copied to the new storage as it comes. Old data / old postsThe old data will be mirrored to a new location and will be relinked in each post very gradually or very fast, depending on the copyright robots craziness and resulting DMCA notices. I will provide a link to the entire collection on the new storage for Contagio/Contagio Mobile/ Contagio Exchange so you can save to your own storage and not to worry about future issues. You can do it now too - all blogs have "Download it all" links on the right side.Mediafire Mediafire will host Upload boxes and all incoming new data will be mirrored to a new storage. Old links will point to Mediafire for the time being - until we change them.

Update 3 August 7, 2012 I am delighted that Mediafire unblocked my account. I believe it is still in danger of being blocked due to the copyright violation pending claims ( see the screenshot below) but at least I can get access to my 34+ GB of data and pull it out in one piece. I am glad Mediafire responded - not directly to me but at least by unblocking it. I hope LeakID meet a more serious problem than Contagio on their path and get sued.I want to thank Paul Robert from SophosLabs, Soulskill- Slashdot, Dan Kaplan from SC Magazine for their articles, everyone who made posts on Twitter (https://twitter.com/#!/search/snowfl0w) and sent emails with invitations for hosting, offers of legal help, and advice. I hoped this would get resolved peacefully and and it did for now, and quicker than I hoped. Thank you all again.I will be gradually relinking files to a new storage. Mediafire service has been fast and convenient but I do not want to deal with the copyright robocops that can cause a shutdown at any moment.I hope the account stay active during the time of transition. Mila

Update 2Once again, thank you all for your offers of help, advice, RTs and mentions of Twitter. It really helps and I appreciate it.
I tried to call LeakID but got their answering service. I also talked a with Mediafire support person, who kindly explained to me that:

1. They do not discuss legal / account suspension matters over the phone but only via email and ticketing. I need to wait for their answers via email. Waiting..
2. My account was suspended for 3 consecutive copyright violations.

I was surprised but I figured out what they were:1. August 9, 2012
"The file named Office2010-kb2289161-fullfile-x64-glb.exe is identified by the key (pgfawjnsdt8zt88)."
This is a free Microsoft Office patch for Office 2010 downloadable from here http://www.microsoft.com/en-us/download/details.aspx?id=22189. I had it in my mediafire account folder and posted here. When I got this notice in August, I thought it was paranoid and silly, considering that these patches are free for all Windows users and copied to every WSUS system freely but I did not research the copyright details on the patches so I did not feel like spending time and just removed the file. It was a mistake as they counted it as strike 1.
Update Sept 7: As requested, the full notice sent regarding the MS office patch is pasted here, together with the Youtube videos that were embedded in it. It is 31 pages long. http://contagiodump.blogspot.com/2011/09/mediafire-dmca-office2010-kb2289161.html2. September 6, 2012 "CVE-2009-0927_CVE-2009-4324_CVE-2007-5659_350924123CBF1B126F4E38335ED6660D_conference_prog.zip is identified by the key (0cbxoda8dpbjnh8)"
As I said, it happens to be an encrypted zip with a malicious PDF attachment described here http://contagiodump.blogspot.com/2010/08/aug-3-cve-2009-0927-cve-2009-4324-cve.html
I did file the counterclaim this morning but it was strike 2.

I tried to explain below that it is not a copyrighted file but is an example of an exploit.

Interestingly, their emails come with embedded youtube videos - some ads of sorts. I don't know what kind of copyright infringement claim comes with ads, I guess the victims of their bullying click on the videos hoping for explanation of the craziness and LeakID or Mediafire get paid for it?

Also, my file was listed in the message in a very long list of other files that belonged to other users - see part of it on the screenshot, which is utterly unprofessional for an official copyright claim.

LeakID cannot see file contents because of the password and their decision was made based on the filenames / mask searches. Not sure what kind of alert my file names triggered - maybe some keys or some movie names, but the lack of discretion and investigation is astounding. If Contagio were a company, I would be wondering if these are my competitors filing such complaints to take me out of business, as it seems to be a perfect way to DoS any service these days.Update:Thank you all for the offers of support (really appreciate it) and additional information - see links below from bloggers who had their own works removed or were/are in a similar situation with LeakID and various hosting services. ==================================================================Contagio file downloads are not available indefinitely (thanks to Mediafire and LeakID ideas about copyright)

This morning I got pop ups on my Mediafire Pro (paid) account about copyright violations on my account, in particular CVE-2009-0927_CVE-2009_5659_350924123CBF1B126F4E38335ED6660D_conference_prog.zip, which happens to be an old malicious PDF attachment described here http://contagiodump.blogspot.com/2010/08/aug-3-cve-2009-0927-cve-2009-4324-cve.html
The picture of the pop up is below. The file is encrypted with an uncommon password, making it impossible to accidentally unzip and infect anyone, thus does not violate any anti-malware rules. In any case, the argument was about copyright, not malware.

Mediafire support suggested filing a counterclaim with a French copyright watchdog company called LeakID, after which they promised to unblock the file if LeakID do not respond.

I sent an email to LeakID and to Mediafire support. After a number of emails back and forth and many protests on my part, I gave up and filed the counterclaim. I was against filing it first because there is no any investigation, checks, or presumptions of innocence. I can see nothing but trolling based on some grep mask they use to search through file sharing services and cause the suspension.

Mediafire responded a few times and then completely blocked my account as a way to show they have the upper hand in this situation and are in control on my files regardless of what I think. The customer service representative "LaChandra" was very polite but that does not change the fact that this is an unacceptable attitude to customers who do not violate anything but are being wrongfully accused by some third party organizations.

Apparently, anyone can contact any file sharing service and claim DMCA violations and make them suspend any file you don't like? All it takes is to claim you are a file owner or representative of the owner (LeakID are making illegal false claims in this case, as they are not and cannot be owners of it ) and the file will be suspended.

If / when I get access to the files again, I will be moving them to another service, except I am not sure what kind of service, except my own hosting I can trust now. For me it is a black mark on all cloud services and a reason why I would be hesitant to recommend using cloud services for companies who are concerned about ownership of their files.

Dear MediaFire User:
MediaFire has received notification under the provisions of the Digital Millennium Copyright Act ("DMCA") that your usage of a file is allegedly infringing on the file creator's copyright protection. The file named CVE-2009-0927_CVE-2009-4324_CVE-2007-5659_350924123CBF1B126F4E38335ED6660D_conference_prog.zip is identified by the key (0cbxoda8dpbjnh8). As a result of this notice, pursuant to Section 512(c)(1)(C) of the DMCA, we have suspended access to the file.

The reason for suspension was:

BDM user "lachandra" says: Hello, My Name is Hervé Lemaire , CEO of LeakID, I am legal representative of lemaire which does business under the name Metropolitan, Authorized to act on behalf of the owner of an exclusive right that is allegedly infringed. You are hereby given notice valid under the DMCA copyright infringement notification requirements, 17 U.S.C.512. I am the designated agent of the owner of the copyrights of the images and audio/visual works listed below. I believe that the images and audio/visual works listed at the times cited below are being copied and distributed in a manner that has been not authorized by the owner of the copyrights, its agent or the law. All link below containing pirated versions of lemaire copyrighted works. The information in the notice is accurate, under penalty of perjury. Please remove all linksAs soon as possible, we will check them everyday. Thanks to inform us about y our actions. We appreciate your efforts toward this common goal. Very truly yours, Hervé Lemaire Leakid 15 bis rue de chateaudun 92250 La garenne colombes France 0033698211000 Contact lemaire Expendables -
===================

Mediafire pro reply Hello Mila,

Thank you for contacting MediaFire. Unfortunately we are bound by Federal law that if we receive a complete DMCA notice we have to prevent the file from being shared. The best thing to to do is follow the counterclaim process that was explained in the notice stating that the file was claimed for copyright. If you file a counterclaim the reporting party has 10 days to respond. If they do not we can restore the file.

I am sorry that you are going through this but you will encounter this with any reputable site as we have to follow the law. Follow the instructions in the email to begin the counterclaim process.

Hello Mila,This is what someone reporting a file must provide.1. Identify yourself as either: 1. The owner of a copyrighted work(s), or 2. A person "authorized to act on behalf of the owner of an exclusive right that is allegedly infringed."2. Identify the copyrighted work claimed to have been infringed3. Identify the material that is claimed to be infringing or to be the subject of the infringing activity and that is to be removed or access to which is to be disabled, as well as information reasonably sufficient to permit MediaFire to locate the material in the form of a MediaFire.com URL/URLs.4. Provide contact information that is reasonably sufficient to permit us to contact you, such as an address, telephone number, and a valid electronic mail address.5. State that you have a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agents, or the law.6. State that the information in the notification is accurate, and under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.

If they do all that then we have to prevent the file from being shared. For more details on the information required for valid notification, see 17 U.S.C. 512(c)(3).

Links about LeakID. This article http://korben.info/leakid-la-solution-anti-direct-download.html explains how they are making money by searching and claiming to be the owner / representing owners of every item that their crazy engine tags. I wonder if they have malware authors among customers or they just grab everything and let their paying customers sort it out.

I received the exact same notification on one of my mediafire files. This company does not seem legit as my file in question is completely original. I don't even understand why Mediafire is letting this very questionable company, LeakId, bully its legitimate customers.

Since when malicious sample is having a legitimate copyright? How in the h*ll they can judge the assumed copyrighted object since is protected?Who said that the claimed so-called "file" is a computer file? AFAIK is a "malicious code sample" NEVER be a file.

Law is a two bladed knife... If I were you I will take this to court to settle.

LOL... I think this would be the best tactic to take. They have filed a legal document that they attest to "under grounds of perjury". So victims of the virus/malware should have a simple case against LeakId as they claim ownership.

How can they file a claim in "good faith" if they can't open the file and see what's actually inside? Isn't the perjury in itself? And if they cracked the password, isn't that a violation of DMCA on their part?

DON'T USE THE CLOUD. You will run into this with every service you use, period. Get yourself an FTP server or something, but DO NOT use cloud services, they are all a "scam" with similar issues like this.

Mediafire listed what is required in a DMCA takedown request. #2 is "Identify the copyrighted work claimed to have been infringed." LeakID's spammy takedown request doesn't do that, so it is clearly invalid. You have to wonder why Mediafire and the like don't simply ignore those. I understand sometimes it's easier to go along, but in this case it would literally be faster to scan the notice, see that it doesn't list what works are alleged to have been infringed, and just reject it out of hand.

Wow, this is a pretty comprehensive article. I knew I wasn't the only one getting screwed by this legal scamming, but it's bigger than I realized. Profiting from the suppression of knowledge dissemination, itself done completely without commercial intent, is simply deplorable.

'There's no such thing as hell, but you can make it if you try.' People like Lemaire do nothing productive for society. He should find a real job.

In all fairness, the OP doesn't display the full notice. You can clearly see it's cut off. Also, one of the files she has listed in this post is Microsoft office 2010 full version x64, which looks very suspicious. I've read Mila for some time now and this was the first I questioned her integrity. I would of expected better attention to detail.

@Anonymous. the full original notice is 31 pages long. I pasted it here for your enjoyment http://contagiodump.blogspot.com/2011/09/mediafire-dmca-office2010-kb2289161.html

When it comes to law it is not what it 'feels like" or "looks like" matters but what it actually is. In this case, it is Security Update for Microsoft Office 2010 (KB2289161), 64-Bit Edition with the file name Office2010-kb2289161-fullfile-x64-glb.exe found here http://www.microsoft.com/en-us/download/details.aspx?id=22189. I don't think it is illegal to repost it, especially with full credits to Microsoft but I did take it down when they filed the claim.

I hope you learned the importance of not hosting your content on sites not belonging to you. Go dish out some money on your own box and put it out there so it's under your terms. Register a domain outside the United States as well.

I can't understand why people like this put their data out there and complain about the long process of getting it back online, accessing their data, unlocking their account, etc. People just don't learn.

Host it yourself and others could have a more difficult time of taking it down.

sure international waters/oil rig hosting, way to go. I dish out money to cloud providers and so do millions and millions of customers, including probably your current or future employers - in some form or fashion. If you host your own mail and web hosting and everything else, cudos. It was the way of the old age and maybe will be of the future, who knows. In any case, thank you for the advice.

I host my own web servers, mail, firefox sync, teamspeak, etc. (including all of the support systems, DNS, backup, firewalls, etc), it's really not that hard and can be accomplished on a budget when you leverage virtualization platforms.

Furthermore, as long as I'm the IT manager (or higher) where I work, we're not going to host *anything* with "the cloud". The liability is just too great.

So, people out there are taking a stand and aren't giving their digital assets freely to just anyone who asks.

Hi Mila,The embedded YouTube videos that you mention were added by Gmail, they are not in the original message. Gmail scans your mail for YouTube videos and offers you an embedded version so you can watch it without leaving your email. You used to be able to turn it off, but I don't think you can anymore. If you look at the other URLs mentioned in the takedown notice, you will see several YouTube links there and those are the ones that Gmail is showing.

Malware samples are available for download by any responsible whitehat researcher. By downloading the samples, anyone waives all rights to claim punitive, incidental and consequential damages resulting from mishandling or self-infection.